CVE-2022-45786

Name of the Vulnerable Software and Affected Versions AGE for PostgreSQL 11 versions up-to-and-including 1.1.0 AGE for PostgreSQL 12 versions up-to-and-including 1.1.0

Description There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. The problem is due to the nature of the cypher() function, which cannot be parameterized directly. This enabled SQL injections if the developer of the driver wasn't careful. The fix is to update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12. The update of AGE will add a new function to enable parameterization of the cypher() function, which, in conjunction with the driver updates, will resolve this issue.

Recommendations Update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12 to resolve the issue. As a temporary workaround, consider restricting the use of the cypher() function until a patch is available. Update AGE to the latest version to add a new function that enables parameterization of the cypher() function.